MegaplanIT Blog
How your Remote Workforce impacts PCI-DSS Compliance
Employees of companies of all sizes are now either required to shelter in place or State and Government lock-downs are forcing companies to require their employees to work remotely. How will this impact your PCI-DSS Compliance?
Planning To Work Remote?
How your Remote Workforce Impacts PCI-DSS Compliance
Remote Employee Demand
Companies are working hard to ensure that the technologies provided to their remote employees enable them to be effective at their jobs, but how are they ensuring these remote systems, endpoints and environments are meeting security and compliance requirements? Attackers continue to have an ample amount of opportunity to gain access into compromised accounts, access less secure remote work environments and expose or steal sensitive data.Â
People, Processes, and Technology – Where does it start?
Issues arise for companies, particularly when remote endpoint visibility is limited due to technical factors and remote employees lack the necessary security training and awareness to work securely in a remote setting. Knowing and enforcing your remote employee’s job roles and data access, whether they are onsite or working from home, is critical.Â
Remote Endpoint Risk and Threats
No Anti-Virus or Signature based A/V only running on the remote endpoints to detect malware, spyware and adware
Endpoint devices not hardened or managed in accordance with the company’s secure configuration standards
Remote users not aware of the company’s Acceptable Use policies and guidelines.
Insufficient Security Awareness training
No defined roles and responsibilities for the remote employees, restricting system and data-level access to only what is required
Remote devices not centrally managed or updated with the latest vendor security patches
Where to begin in Securing your Remote Workforce
- First, review your remote employee access roles assigned. Ensure that only those employees with a need to know can access cardholder or sensitive data.
- Engage your QSA to evaluate the endpoint configurations and review existing policies and procedures. This will ensure that all of the PCI requirements applicable to remote endpoints and processes are properly tested against prior to releasing the devices to your corporate resources.
- There are a couple of ways to conduct remote testing and validation. This can be performed at the company’s Corporate office or remotely from the QSA location, which is likely more appropriate, given the issues we are currently facing with work from home enforcement. In this case, your QSA will work with you to ensure they are provided with the necessary tools for testing (e.g. Telepresence and remote access tools).
PCI Requirements In-scope for Remote Endpoint Devices
The following PCI Requirements in scope for testing includes, but are not limited to:
Data flow and network diagrams: PCI Requirement 1.1.2
- Network diagrams and data flow diagrams depicting the flow of cardholder data from the remote employee’s home network to the corporate network, along with a narrative to support the flow should be documented.
Personal firewall on endpoints:Â PCI Requirement 1.4.
- Remote endpoints must have personal firewall installed and be actively running. The employees must not be able to alter their personal firewall settings.
Hardening Configuration Standards (NIST, CIS, SANs, etc.): PCIÂ Requirement 2.1, 2.2, 2.3, 2.4
- Remote endpoints should be configured so that only necessary services, protocols, etc. are enabled. Â All vendor-supplied default accounts should be removed or disabled, and default passwords must be changed.
- An inventory should be maintained of all remote end-point devices used by employees. The inventory should include the make/model of the device as well as the operating system and version installed on the device.
Anti-Virus on remote endpoints: PCI Requirement 5.1, 5.2, 5.3, 5.4
- Remote endpoints that are commonly affected by malicious software must have an anti-virus solution deployed and must include following:
Be capable of detecting, removing, and protecting against all known types of malicious software.
Be configured to perform automatic updates
Be configured to perform period scans
Cannot be disabled by the employee
Anti-virus software log generation must be enabled, and anti-virus logs must be retained for a minimum of 1 year.
Patch Management: PCI Requirement 6.1, 6.2
- Remote endpoints must be updated with the latest critical security patches.
Change Management: PCI Requirement 6.4
- Configuration changes made to remote endpoints must be approved and follow the company’s change control process.
Identify and authenticate access to system components: PCI Requirements 8.1, 8.2, 8.3, 8.4, 8.5, 8.6, 8.7, 8.8
- Employees must be assigned a unique user ID and a strong password for access to systems.
- Generic and shared accounts should not be used.
- Multi-factor authentication must be used for all remote access to the corporate network.
PCI Remote Employee Policy and Procedures
- Ensuring that there are properly enforced policy and procedures with regards to an Acceptable Use Policy: PCI Requirements 12.3 (Usage policy), 12.6 (Security awareness training), 12.7 (background checks)
- Employees should sign and acknowledge that they have read and understand company’s Security and Usage policies.
- Employees should receive security awareness training upon hire and on an annual basis.
- Employees should undergo a background check prior to employment.
See What We're About
At MegaplanIT, our expert security consultants and QSAs are fully certified and have decades of experience helping businesses like yours stay safe from cybersecurity threats. We build long-term relationships with our customers and provide holistic services to meet all your security and compliance needs.
Every business has security and compliance challenges. Maybe you’ve had to repeatedly ask a compliance assessor to complete reports you could share with internal management, or your security consultant was replaced with a new consultant halfway through an assessment. Maybe you’ve been sent a different security consultant every year, or your supplier surprises you with unplanned and unbudgeted additional expenses to complete the project. Whatever the situation, the result is the same, the costs and level of effort required to stay secure and compliant never go down.
With MegaplanIT, our service offerings are clearly written and explained in detail to our clients. There are no hidden costs or surprises and you’ll never have to worry about a lack of communication with our consultants or assessors. That’s our Guarantee.
As cyber threats grow in number and sophistication, many organizations are turning to managed security service providers to help secure their digital assets and data. Based at our 24/7/365 cutting-edge security operations center in Scottsdale, Arizona, we provide a suite of managed services to ensure your business stays safe from cyber attacks.
At MegaplanIT, our expert QSAs are fully certified and have decades of experience helping businesses like yours stay compliant with industry frameworks all year round. We build long-term relationships with our customers and provide holistic services to meet all your security and compliance needs.
The vast majority of security breaches are made possible by vulnerabilities and configuration errors in an organization’s network or applications. Our fully certified security testing services are designed to help you find and fix weaknesses in your networks and applications, and prepare you digital infrastructure to withstand the latest cyber threats.
Make Our Team, Your Team!
Our innovative IT security and compliance solutions are designed to deliver customized, cost-effective service on time—because your priorities are our priorities. With a highly qualified team of PCI-DSS QSAs, Penetration Testers, and Information Security Consultants here at MegaplanIT, we will assess your unique company and business environment and design a path to security that will fit all of your needs.